1. Security Testing of Mobile Applications
(Android - BlackBerry - iOS)

2. Introduction to Android Security & AppUse
Mobile application threat model - What makes mobile application security so different?
• The Android linux OS security
• The Dalvik VM
• The Android security mechanisms
• Application file system isolation
• The permission model
• Least privilege model
• Database isolation
• The Android emulator VS. physical device
• The AppUse VM ("Android Pen-test Platform Unified Standalone Environment")
• The Android Debug Bridge (ADB)
• The logcat interface

3. Traffic Analysis and Manipulation
• Intro to server side attacks - SQL injection, XSS
• Insecure remote Authentication - client id, IMEI, etc.
• Insecure session management
• authorization
• Traffic interception
• Using proxies and sniffers
• Importing SSL certificates & trusted CA's
• Sensitive information transmission
• Bypassing server certificate validations
• Exposing insecure traffic

4. Insecure data K11storage
• Exploring deployed application files at the /data/data directory
• The file system security model
• Insecure file system permissions
• Insecure storage of sensitive data in files
• The SDcard
• The SQLite Database storage
• Using sqlite browser
• Application shared preferences storage
• Storage of sensitive data at the server side
• Secrets in code
• Insecure log exposure
• Bad cryptography

5. Reverse engineering the application binaries
• The APK file package
• APK extraction - Investigating layout, manifest, permissions and binaries
• Extracting the content of the classes.dex file
• Using smali/baksmali Dalvik assembler/disassembler
• Using jasmin/jasper JVM assembler/disassembler
• Decompilation
• Using dex2jar
• Identifying interesting API calls - file access, networking, SDcard access, SQLite, etc
• Identifying insecure code - certificate validation bypass, insecure xml parsing, clipboard access,
geo-location, address book, client xss and html injection, etc.
• Finding hard coded secrets in code
• Using Android Lint
• Code patching and modification
• Recreating and resigning the modified APK

6. Android application components security
• Major component types - Activity, Service, Content provider, Broadcast receiver
• The Intent message
• Components and the manifest file
• Using manifest explorer
• Component permissions and visibility
• Activating components
• Accessing restricted screens
• Attacking content providers and client side sql injection
• Direct component invocation by unauthorized apps

7. Analyzing Runtime Analysis
• Monitoring process activity
• Observing file access
• Monitoring network connectivity
• Debugging
• Setting breakpoints
• Memory dumping and analysis
• Analyzing logs using logcat

8. Android Platform Security Architecture
Android seeks to be the most secure and usable operating system for mobile platforms by re-purpo
Protect user data
Protect system resources (including the network)
Provide application isolation
To achieve these objectives, Android provides these key security features:
Robust security at the OS level through the Linux kernel
Mandatory application sandbox for all applications
Secure interprocess communication
Application signing
Application-defined and user-granted permissions
The sections below describe these and other security features of the Android platform. Figure 1 summarizes the security components and considera

10. New Android's Feature will Regularly Scan Your Apps
Recently Google has officially announced to increase the security of Android users by adding a new feature to android which will regularly scan all the
The new feature by Google would be a part of Verify Apps feature which is already protecting android users from harmful apps installed by third party
The feature will scan for spywares , malwares , sending unauthorized messages and in-app installations for changes in app activity after it is installed

11. The first comprehensive guide to discovering and preventing attacks on the Android OS
As the Android operating system continues to increase its share of the smartphone market, smartphone hacking remains a growing threat. Written b
If you are a mobile device administrator, security researcher, Android app developer, or consultant responsible for evaluating Android security, you w
A crack team of leading Android security researchers explain Android security risks, security design and architecture, rooting, fuzz testing, and vulne
Covers Android application building blocks and security as well as debugging and auditing Android apps
Prepares mobile device administrators, security researchers, Android app developers, and security consultants to defend Android systems against a
Android Hacker's Handbook is the first comprehensive resource for IT professionals charged with smartphone security.

13. IT Policy:
-Primary policy for all protection mechanisms
Access to Network/Resources/Settings
Prohibited and Mandatory installations of apps
Controlling third-party Java application permissions
-Per-Handset + Global Policy stored on BES
-Initial Policy is signed by master key at pairing
Stored in NV RAM
Future updates OTA must be signed by master key

14. Application Controls:
- All applications run in the JVM
- IT Policy controls how the applications interact
-Developed with the user and company in mind
Most restrictive overlap
- I9 application control policy categories
Cross Application Control
-Hardware
-Network domnains
-PIM data/ applications
-Inter-application communication
-Browser
-User Autherntication and Settings
-Input Simulation
-MDS

15. Code signing
- Core BB applications must be RIM Signed
- Class files verified for interface compliance
- No user-defined class loaders
-No Java Native Interface or user extensions
-System classes cannot be overridden

16. Data Security
-Java RMS offers various forms of crypto
-Keys must be explicitly shared by apps
-PIM protected by Blackberry Attachment Service
Renders and decrypts data on the BES
Sends rasterized information to display
Avoids image exploits
Manages PGP on BES

17. The iOS Security Model
Apple has incorporated four layers of security in iOS to protect the user and their data.
Device Security
Techniques to prevent an unauthorized individual from using the device
Data Security
Techniques to protect the data stored on the device, even if the device is stolen
Network Security
Tools to encrypt data while it is in transit across a network
Application Security
Mechanisms to secure the operating system and isolate applications while they are running

19. Information gathering
Observe application behavior
Determine the application’s data states (at rest, in transit or on display) and sensitivity
Identify access methods
Identify what frameworks are in use
Identify server side APIs that are in use
Identify what protocols are in use
Identify other applications or services with which the application interacts
Decrypt Appstore binaries: the .ipa will be decrypted at runtime by the kernel’s mach loader. Cydia has several applications available: Crackulo
Determine the architecture the application was compiled for: otool –f <app name> or lipo -info <app>.
Get information about what functions, classes and methods are referenced in the application and in the dynamically loaded libraries. Use nm <a
List the dynamic dependencies. Use otool –L <app name>
Dump the load commands for the application. Use otool –l <app name>
Dump the runtime information from the compiled application. Identify each class compiled into the program and its associated methods, instanc
Dump the keychain using dump_keychain to reveal application specific credentials and passwords if stored in the keychain.
Determine the security features in place:
Locate the PIE (Position Independent Executable) - an app compiled without PIE (using the ―–fPIE –pie‖ flag) will load the executable at a fixed
Stack smashing protection - specify the –fstack-protector-all compiler flag. A ―canary‖ is placed on the stack to protect the saved base pointer, s

20. iPhone Analyzer allows you to forensically examine or recover data from in iOS device.
It principally works by importing backups produced from iTunes or third party software,
and providing you with a rich interface to explore, analyze and recover data in human readable formats.
Because it works from the backup files everything is forensically safe, and no changes are made to the data.
IPhone Analyzer is now free for Personal use

21. If you’re an app developer with a solid foundation in Objective-C, this book is an absolute must—chances are very high that your company’s iOS app
This guide illustrates several types of iOS attacks, as well as the tools and techniques that hackers use. You’ll learn best practices to help protect yo
Examine subtle vulnerabilities in real-world applications—and avoid the same problems in your apps
Learn how attackers infect apps with malware through code injection
Discover how attackers defeat iOS keychain and data-protection encryption
Use a debugger and custom code injection to manipulate the runtime Objective-C environment
Prevent attackers from hijacking SSL sessions and stealing traffic
Securely delete files and design your apps to prevent forensic data leakage
Avoid debugging abuse, validate the integrity of run-time classes, and make your code harder to trace

22. Top 10 Mobile Risks
M1 : Weak Server Side Controls
M2 : Insecure Data Storage
M3 : Insufficient Transport Layer Protection
M4 : Unintended Data Leakage
M5 : Poor Authorization and Authentication
M6 : Broken Cryptography
M7 : Client Side Injection
M8 : Security Decisions Via Untrusted Inputs
M9 : Improper Session Handling
M10: Lack of Binary Protections

23. What is the Heartbleed bug?
It’s an OpenSSL vulnerability. OpenSSL is a security protocol that encrypts communications between your computer (or device) and a Web server. A
Most websites, many operating systems, and many apps use OpenSSL. It’s everywhere, and one version of it has a critical bug that lets hackers exp
Which operating systems are affected:
iOS devices are safe.
Windows Phone OS is likely safe.
BlackBerry is ―investigating.‖
Android is vulnerable if you have
version 4.1.1, according to Google.

25. OWASP Mobile Security Project - MobiSec
The MobiSec Live Environment Mobile Testing Framework project is a live environment for testing m

27. Thank you!